Hybrid AD joined rather than Entra ID Joined


Hi  All,

A few years ago, when we tentatively started using Intune in our hybrid on-premise AD environment, and most devices were AD-joined rather than AAD-joined, we turned off Windows Hello for Business.
Now that we are in the process of winding down our on-premise configuration, all new devices log into AAD and are configured via Intune. Currently, we are about 65-35% in favour of Intune and should be near 100% by EOFY.
We’d now like to include Windows Hello as part of our security upgrades.
What sort of pain am I facing if I turn it back on, bearing in mind the default is All Users, and I can’t see a way to turn it on for a minimal set of users initially?

Posted by John McGuigan in HTMD FB Group


Answers ( 2 )

  1. Replied by Sean Kinney

    John McGuigan has no sense of adventure! LoL.

    Replied by John McGuigan

    Sean Kinnee I know right?

  2. Replied by Jesse Marsh

    You can leave the Hello configuration not configured and target groups as needed in endpoint protection > identity protection (probably for all AADJ devices or users. Check out Cloud Kerberos Trust if you want on-prem users to use Hello. Relatively painless if it’s just a basic environment with files and an application or two, NPS stuff may break.

    Replied by John McGuigan

    Jesse Marsh, I’m happy to leave the on-premise users alone. Everything has moved bar two legacy services that will be gone by the end of the financial year, and they have their own credential system that isn’t SSO.
    I’ll take a look at your suggestion this week. Thanks.

    Replied Jesse Marsh

    Cool gl

Leave an answer

Sorry, you do not have permission to answer to this question .